Secure and Scalable Linux Management – A Guide to Deploying SUSE Multi-Linux Manager on Google Cloud

Managing a modern Linux environment is complex. Virtual machines and containers are spread across on-premises data centers and various public clouds. How do you keep them patched, configured, secure, and compliant? This is where a centralized management solution becomes essential. 

Key takeaways

• Centralize Linux lifecycle management across on-premises and cloud environments
• Deploy SUSE Multi-Linux Manager securely on Google Cloud using private networking
• Improve patching, compliance, and CVE response at scale
• Use a modern, containerized architecture built on SUSE Linux Micro

The 5Ws: SUSE Multi-Linux Manager on Google Cloud?

Let’s explore the “5Ws” to understand why this blog post matters to you.

• Who is this blog post for? It’s for IT architects, system administrators, DevOps engineers, and IT managers responsible for the health and security of a fleet of Linux servers. If you manage more than a few instances, you’re in the right place.
• What is SUSE Multi-Linux Manager (SMLM)? It is a unified control plane that oversees the entire lifecycle of your Linux environment — including SUSE, Red Hat, AlmaLinux, Ubuntu, and more. It automates patching, streamlines configuration management, audits for security vulnerabilities (CVEs), and reliably provisions new systems. 
• Where does it run? SMLM can manage clients anywhere: in your data center, in the public cloud, or at the edge. This guide focuses on deploying the SMLM server on Google Cloud to provide a scalable, resilient, and globally accessible management hub across hybrid environments, including public, private, and on-prem. 
•  When do you need it? You need it when manual administration is no longer scalable or to avoid manual mistakes. When you need to prove compliance to an auditor. When a critical CVE is announced, and you need to know your exposure and patch dozens or hundreds of systems right now, not next week.
• Why should you use SUSE MLM? To regain control, improve security, and boost efficiency. By centralizing management, you lower administrative tasks, enforce consistent security policies, reduce remediation time, and keep your entire Linux environment stable and compliant.

Architectural Overview

We will deploy the SUSE Multi-Linux Manager (SMLM) server on a Google Compute Engine (GCE) instance, but not just any instance. For maximum security and realism, our architecture should include:

• Custom VPC Network: An isolated, private network space for our resources.
• Private Subnet: The SUSE Multi-Linux Manager server will live in a subnet with no public IP addresses, preventing direct exposure to the internet.
• Cloud NAT Gateway: To give the server controlled outbound internet access for downloading updates and packages.
• Google Cloud IAP: We will use the Identity-Aware Proxy (IAP) to securely access our SMLM instance’s SSH and HTTPS ports without needing a bastion host or a public IP address. Alternatively, customers can integrate with suitable VPN or secure interconnection options to control access.
• Dedicated Service Accounts: Following the principle of least privilege, it is recommended to create fine-grained service accounts for the SUSE Multi-Linux Manager server and the clients it manages.
• Private DNS Zone: To provide reliable, internal-only name resolution for the SUSE Multi-Linux Manager server, which is a critical requirement for the software.

A note on the modern MLM architecture

Starting with version 5.0, SUSE Multi-Linux Manager experienced a major architectural change. Previously installed on a standard SUSE Linux Enterprise Server (SLES), SUSE Multi-Linux Manager now operates as a containerized application. The default host OS is SUSE Linux Micro, a lightweight, immutable operating system designed specifically for hosting container workloads.

This shift brings several advantages:

• Enhanced Security: SLE Micro’s minimal, read-only design reduces the attack surface.
• Enhanced Reliability: System updates are transactional and atomic, ensuring they are safer and more predictable.
• Simplified Subscriptions: The SUSE Multi-Linux Manager subscription now covers both the MLM application and the underlying SLE Micro host operating system, simplifying entitlement management.

Tip

SUSE Multi-Linux Manager can also be deployed on SUSE Linux Enterprise Server (SLES), but no OS
license is included. Customers must provide an OS license.

This guide uses the official SUSE BYOS GCE SMLM image, which bundles this modern, container-ready architecture. To find the most current and appropriate image for your deployment, SUSE strongly recommends using the SUSE Public Cloud Information Tracker (PINT) tool. Use the SUSE PINT Tool, navigate to the Images tab, select Google as the cloud provider, and search for suse-multi-linux-mgr-server. This will provide you with the latest available image details, including the exact image name to use.

A note on subscriptions and procurement

The SUSE Multi-Linux Manager (SMLM) image on the Google Cloud Marketplace is officially listed as a Bring-Your-Own-Subscription (BYOS) offering. This means you need to have a subscription directly with SUSE. However, SUSE offers a flexible purchasing option through the Google Cloud Marketplace Private Offers program. This allows you to buy your SMLM subscription directly through the marketplace, which can help simplify your cloud spending. 

Basically, this purchase counts toward any committed-use discount programs you have with Google Cloud, while still granting you direct access to SUSE’s world-class support experience. To explore SUSE’s private offerings, including SUSE Multi-Linux Manager, navigate to the following link: SUSE Products on Google Cloud Marketplace. From there, simply select the SUSE Multi-Linux Manager offering to get started.

Note

You need a Google Cloud user account to list the SUSE Multi-Linux Manager from the Google Cloud Marketplace. If you have any problems, please get in touch with cloudsales@suse.com.

Prerequisites: Pre-existing Google Cloud Infrastructure

Before deploying the SUSE Multi-Linux Manager GCE instance, make sure the basic Google Cloud infrastructure is set up. This guide focuses on the SMLM-specific deployment, assuming these key components are already configured. Here’s what you’ll need to have ready:

• Google Cloud Project: A dedicated GCP project with billing enabled and the Compute Engine and Identity-Aware Proxy APIs activated.
• Custom VPC Network: A custom Virtual Private Cloud (VPC) network, providing an isolated environment for your resources.
• Private Subnet: A private subnet within your VPC, where the SMLM server will reside. It is advisable that this subnet has access to the Google Private Service option (–enable-private-ip-google-access) enabled, allowing VMs to reach Google APIs privately without a public IP.
• Static Internal IP Address: A reserved static internal IP address within your private subnet, ensuring a stable and predictable IP for the SMLM server.
• Cloud NAT Gateway: Configured to provide outbound-only internet access for instances within your private subnet. This enables the SMLM server to fetch updates and packages securely without a public IP.
• Firewall Rules:
  • An ingress rule allowing SSH (port 22) and HTTPS (port 443) traffic only from Google IAP IP ranges (35.235.240.0/20), targeting your SMLM VM via a network tag.
  • Optional: An egress rule to deny all outbound internet traffic by default (lowest priority).
  • Optional: A higher-priority egress rule allowing outbound traffic for VMs with a specific network tag (which your SMLM VM will have) through the Cloud NAT Gateway.

• Private DNS Zone and ‘A’ Record: A private managed DNS zone linked to your VPC, with an A record mapping your desired Fully Qualified Domain Name (FQDN) for the SMLM server (e.g., mlm.example.internal.) to its reserved static internal IP address.
• Dedicated Service Accounts:
  • A primary service account for the SMLM VM with roles such as logging.logWriter, monitoring.metricWriter, and any other roles needed based on your environment to manage other GCE instances.
  • A secondary, lower-privilege service account for VMs that will be managed by SMLM clients, with basic logging and monitoring roles.

Once this infrastructure is prepared, you can move forward to define and launch your SUSE Multi-Linux Manager  GCE instance.

SUSE Multi-Linux Manager GCE Instance Deployment

Now we create the VM itself, using a specialized BYOS (Bring Your Own Subscription) image from SUSE.

• Define the existing infrastructure configurations: First, let’s identify the key environment variables that relate to your existing infrastructure.
  

  export PROJECT_ID="YOUR_PROJECT_ID"
  export REGION="REGION_NAME"
  export ZONE="${REGION}-LOCATION"
  export VPC_NAME="VPC_NAME"
  export SUBNET_NAME="SUBNET_NAME"
  export MLM_RESERVED_IP="MLM_RESERVED_IP"
  export MLM_SA_ID="SERVICE_ACCOUNT_NAME@${PROJECT_ID}.iam.gserviceaccount.com"
  export MLM_NETWORK_TAG="CHOOSE_A_TAG_NAME"
  export INTERNET_ACCESS_TAG="CHOOSE_ANOTHER_TAG_NAME"
  export GCP_LABELS="app=suse-mlm,env=demo"
  export MLM_FQDN="SUSE_MULIT_LINUX_MANAGER_FULLY_QUALIFIED_DNS_ NAME"

• Define Instance Configuration: The SUSE Multi-Linux Manager documentation states the minimum hardware requirements. We will meet these using an e2-standard-4 machine type with dedicated SSD persistent disks for the repository data and the database.
  

  export INSTANCE_NAME="mlm1"
  export MACHINE_TYPE="e2-standard-4"
  export MACHINE_IMAGE=""
  export BOOT_DISK_SIZE="50GB"
  export DATA_DISK_NAME="repos-data1"
  export DATA_DISK_SIZE="200GB"
  export DB_DISK_NAME="db1"
  export DB_DISK_SIZE="50GB"

• Create the disks: It is best practice to create data disks separately before creating the instance.
  

  gcloud compute disks create ${DATA_DISK_NAME} \
    --project=${PROJECT_ID}--zone=${ZONE}\
    --size=${DATA_DISK_SIZE}\
    --type="pd-ssd"--labels=${GCP_LABELS}
  
  gcloud compute disks create ${DB_DISK_NAME} \
    --project=${PROJECT_ID}\
    --zone=${ZONE}--size=${DB_DISK_SIZE}\
    --type="pd-ssd"--labels=${GCP_LABELS}

• Create the SUSE Multi-Linux Manager  GCE Instance: This command combines everything—setting up the network, static IP, service account, firewall rule tags, and the disks we just created.
  

  gcloud compute instances create ${INSTANCE_NAME} \
    --project=${PROJECT_ID}\
    --zone=${ZONE}\
    --machine-type=${MACHINE_TYPE}\
    --network-interface=network=${VPC_NAME},subnet=${SUBNET_NAME},private-network-ip=${MLM_RESERVED_IP},no-address\
    --service-account=${MLM_SA_ID}\
    --tags=${MLM_NETWORK_TAG},${INTERNET_ACCESS_TAG}\
    --image=projects/suse-byos-cloud/global/images/${MACHINE_IMAGE}\
    --boot-disk-size=${BOOT_DISK_SIZE}\
    --boot-disk-type="pd-ssd"\
    --disk=name=${DATA_DISK_NAME},device-name=mlm-repo-disk,mode=rw,boot=no\
    --disk=name=${DB_DISK_NAME},device-name=mlm-db-disk,mode=rw,boot=no\
    --scopes="https://www.googleapis.com/auth/cloud-platform"\
    --shielded-secure-boot\
    --labels=${GCP_LABELS}

SUSE Multi-Linux Manager Configuration

Once our infrastructure is set up, the final steps occur within the newly created instance.

• Connect to the GCE Instance: Use the gcloud CLI to SSH into the instance through the IAP tunnel.
  

  gcloud compute ssh --zone=${ZONE} ${INSTANCE_NAME} --project=${PROJECT_ID}

• Register the Host OS: Once inside the VM, you need to register the base operating system with SUSE to activate the software repositories.
  

  # !! EDIT THE FOLLOWING TWO VARIABLES with your SUSE credentials !!
  export SCC_EMAIL="YOUR_SCC_EMAIL@example.com"
  export SCC_REG_CODE="YOUR_REGISTRATION_CODE"
  
  # Register the base SLE Micro OS with the SUSE-managed Infrastructure on Google Cloud
  sudo registercloudguest -e ${SCC_EMAIL} -r ${SCC_REG_CODE}
  
  # Enable the 'Multi-Linux-Manager-Server' extension
  sudo transactional-update register -p Multi-Linux-Manager-Server/5.1/x86_64 -r ${SCC_REG_CODE}
  
  # Apply all OS updates
  sudo transactional-update up

• Reboot: In a transactional system like SLE Micro, a reboot is required to apply updates and enable the new repositories. Your SSH session will disconnect.
  

  sudo reboot

• Prepare Storage: Wait a moment, then reconnect to the VM using the same gcloud compute ssh command. Next, format and mount the data and database disks with the provided utility.
  

  # Reconnect to the VM first:
  gcloud compute ssh --zone=${ZONE} ${INSTANCE_NAME} --project=${PROJECT_ID}
  
  # Identify the device names
  ls -l /dev/disk/by-id/google-mlm-repo-disk /dev/disk/by-id/google-mlm-db-disk
  
  # Use the mgr-storage-server utility to prepare the disks.
  # The first device is for repositories, the second is for the database.
  sudo mgr-storage-server /dev/disk/by-id/google-mlm-repo-disk /dev/disk/by-id/google-mlm-db-disk

SUSE Multi-Linux Manager Installation

Install and Deploy SUSE MLM: This is the final step. The mgradm command pulls the necessary containers and deploys the application.

# Set your passwords as variables to avoid them being saved in shell history
CA_PASS="ChooseAStrongPassword"
ADMIN_PASS="ChooseAStrongAdminPassword"

# Run the install command
sudo mgradm install podman ${MLM_FQDN} \
  --db-admin-password$ADMIN_PASS\
  --ssl-password$CA_PASS

# Check the status of the services
sudo mgradm status

Accessing SUSE Multi-Linux Manager Web User Interface

Your SUSE MLM server is now running! To access it, you need to establish one final IAP tunnel from your local machine to the instance.

• Start the IAP Tunnel: Open a new local terminal (do not run this inside the VM’s SSH session) and execute the following command. It will forward your local port 8443 to the instance’s port 443.
  

  gcloud compute start-iap-tunnel ${INSTANCE_NAME} 443 \
    --local-host-port=localhost:8443\
    --zone=${ZONE}\
    --project=${PROJECT_ID}

• Log In: Open a web browser on your local machine and navigate to https://localhost:8443. You should see the SUSE Multi-Linux Manager login page. Log in with the username admin and the admin password you set in the previous step

Conclusion

Congratulations! You have successfully deployed SUSE Multi-Linux Manager 5.1 in a secure, well-architected environment on Google Cloud. From here, you can start synchronizing product channels from SUSE, creating activation keys, and onboarding your first clients. By using a private network, Cloud NAT, and IAP, you have established a robust, secure foundation ready to manage your entire Linux infrastructure.

References

SUSE Multi-Linux Manager Official Documentation.